Wednesday, 7 August 2013

Stop 0x19 - Corrupt Pool Header - !pool, !poolval, dt nt!_POOL_HEADER

This blog post is going to more of a link to a thread again, but I'm going to quickly explain the fields within the _POOL_HEADER data structure. Please note !pool and !pooval are explained in my Stop 0xC2 blog post.

Every pool allocation, has a data structure called the Header, this is used to store information about the pool allocation such as it's size, it's owner and the previous allocation before it within the linked list.

The Block Size means the current size of the pool allocation.

Previous Size contains the size of the previous pool allocation.

Pool Tag is the owner of the pool allocation. You could use the !poolfind extension to find the allocation owned by that pool tag.